Fix blackduck scans to only ever run on merges

Downstream users should say whether or not they want this, but currently
they have to work around this and use conditionals. Move the conditional
here we know they have to have, so they can go back to enabling it
properly.

Signed-off-by: Phil Dibowitz <phil@ipom.com>

Author: jaymzh

.github/workflows/ci-main-pull-request.yml

@@ -1300,7 +1300,7 @@ jobs:
 
   BlackDuck-Polaris-SAST:
     name: 'BlackDuck Polaris SAST scan'
-    if: ${{ inputs.perform-blackduck-polaris }}
+    if: ${{ inputs.perform-blackduck-polaris && github.event_name == 'push' }}}
     uses: chef/common-github-actions/.github/workflows/polaris-sast.yml@main
     needs: checkout
     secrets: inherit
@@ -1576,7 +1576,7 @@ jobs:
       github-branch-name: ${{ inputs.github-branch-name }}
       version: ${{ inputs.version }}
       export-github-sbom: ${{ inputs.export-github-sbom }}
-      perform-blackduck-sca-scan: ${{ inputs.perform-blackduck-sca-scan }}
+      perform-blackduck-sca-scan: ${{ inputs.perform-blackduck-sca-scan && github.event_name == 'push' }}}
       # generate-blackduck-sbom: ${{ inputs.generate-blackduck-sbom }}  # obsolete, remove TODO
       blackduck-project-group-name: ${{ inputs.blackduck-project-group-name }}
       blackduck-project-name: ${{ inputs.blackduck-project-name }}